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Abstract. We introduce an automata-theoretic method for the verification of distributed al¬ 
gorithms running on ring networks. In a distributed algorithm, an arbitrary number of processes 
cooperate to achieve a common goal (e.g., elect a leader). Processes have unique identifiers (pids) 
from an inhnite, totally ordered domain. An algorithm proceeds in synchronous rormds, each 
round allowing a process to perform a bounded sequence of actions such as send or receive a 
pid, store it in some register, and compare register contents wrt. the associated total order. An 
algorithm is supposed to be correct independently of the number of processes. To specify cor¬ 
rectness properties, we introduce a logic that can reason about processes and pids. Referring to 
leader election, it may say that, at the end of an execution, each process stores the maximum 
pid in some dedicated register. Since the verification of distributed algorithms is undecidable, we 
propose an underapproximation technique, which bounds the number of rounds. This is an ap¬ 
pealing approach, as the number of rounds needed by a distributed algorithm to conclude is often 
exponentially smaller than the number of processes. We provide an automata-theoretic solution, 
reducing model checking to emptiness for alternating two-way automata on words. Overall, we 
show that round-bounded verification of distributed algorithms over rings is PSPACE-complete. 


Introduction 


Distributed algorithms are a classic discipline of computer science and continue to be an 
active field of research 13,19. A distributed algorithm employs several processes, which 


perform one and the same program to achieve a common goal. It is required to be correct 
independently of the number of processes. Prominent examples are leader-election algorithms, 
whose task is to determine a unique leader process and to announce it to all other processes. 
Those algorithms are often studied for ring architectures. One practical motivation comes 
from local-area networks that are based on a token-ring protocol. Moreover, rings generally 
allow one to nicely illustrate the main conceptual ideas of an algorithm. 

However, it is well-known that there is no (deterministic) distributed algorithm over 
rings that elects a leader under the assumption of anonymous processes. Therefore, classical 
algorithms, such as Franklin’s algorithm 14 or the Dolev-Klawe-Rodeh algorithm |^, assume 
that every process is equipped with a unique process identifier (pid) from an infinite, totally 
ordered domain. In this paper, we consider such distributed algorithms, which work on ring 
architectures and can access unique pids as well as the associated total order. 

Distributed algorithms are intrinsically hard to analyze. Correctness proofs are often 
intricate and use subtle inductive arguments. Therefore, it is worthwhile to consider automatic 
verification methods such as model checking [^. Besides a formal model of an algorithm, 
this requires a generic specification language that is feasible from an algorithmic point of 
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view but expressive enough to formulate correctness properties. In this paper, we propose a 
language that can reason about processes, states, and pids. In particular, it will allow us 
to formalize when a leader-election algorithm is correct: At the end of an execution, every 
process stores, in register r, the maximum pid among all processes. Our language is inspired 
by Data-XPath, which can reason about trees over infinite alphabets (4l[^ 


12 


However, formal verification of distributed algorithms cumulates various difficulties that 
already arise, separately, in more standard verification: First, the number of processes is 
unknown, which amounts to parameterized verification 11 ; second, processes manipulate 
data from an infinite domain [5,12. In each case, even simple verification questions are 
undecidable, and so is the combination of both. 

In various other contexts, a successful approach to retrieving decidability has been a form 
of bounded model checking. The idea is to consider correctness up to some parameter, which 
restricts the set of runs of the algorithm in a non-trivial way. In multi-threaded recursive 
programs, for example, one may restrict the number of control switches between different 
threads 20 . Actually, this idea seems even more natural in the context of distributed 
algorithms, which usually proceed in rounds. In each round, a process may emit some 
messages (here: pids) to its neighbors, and then receive messages from its neighbors. Pids 
can be stored in registers, and a process can check the relation between stored pids before 
it moves to a new state and is ready for a new round. It turns out that the number of 
rounds is often exponentially smaller than the number of processes (cf. the above-mentioned 
leader-election algorithms). Thus, roughly speaking, a small number of rounds allows us to 
verify correctness of an algorithm for a large number of processes. 

The key idea of our method is to interpret a (round-bounded) execution of a distributed 
algorithm symbolically as a word-like structure over a finite alphabet. The finite alphabet is 
constituted by the transitions that occur in the algorithm and possibly contain tests of pids 
wrt. equality or the associated total order. To determine feasibility of a symbolic execution 
(i.e., is there a ring that satisfies all the guards employed?), we use propositional dynamic 
logic with loop and converse (LCPDL) over words [^. Basically, we translate a given 
distributed algorithm into a formula that detects cyclic (i.e., contradictory) smaller-than 
tests. Its models are precisely the feasible symbolic executions. A specification is translated 
into LCPDL as well so that verification amounts to checking satisfiability of a single formula. 
The latter can be reduced to an emptiness problem for alternating two-way automata over 
words so that we obtain a PSPACE procedure for round-bounded model checking. 

Related Work. Considerable effort has been devoted to the verification of fault-tolerant 
algorithms, which have to cope with faults such as lost or corrupted messages (e.g., 0[T3). 
After all, there have been only very few generic approaches to model checking distributed 
algorithms. In 16 , several possible reasons for this are identified, among them the presence 


of unbounded data types and an unbounded number of processes, which we have to treat 
simultaneously in our framework. Parameterized model checking of ring-based systems where 
communication is subject to a token policy and the message alphabet is finite has been 
studied in [3 10 . 


The theory of words and trees over infinite alphabets (aka data words/trees) provides an 
elegant formal framework for database-related notions such as XML documents |^, or for the 
analysis of programs with data structures such as lists and arrays [^j^. Notably, streaming 
transducers [^ also work over an infinite, totally ordered domain. The difference to our 
work is that we model distributed algorithms and provide a logical specification language. 
Recall that the latter borrows concepts from |^[^[l2] , whose logic is designed to reason about 
XML documents. A fragment of MSO logic over ordered data trees was studied in 21 . The 
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paper pursued a symbolic model-checking approach to systems involving data. But the 
model was purely sequential and pids could only be compared for equality. The ordering on 
the data domain actually has a subtle impact on the choice of the specification language. 

Outline. In Section,]^ we present our model of a distributed algorithm. Sectionj^introduces 
the specification language to express correctness criteria. In Section we show how to solve 
the round-bounded model-checking problem in polynomial space. We conclude in Section 
Some proof details are omitted but can be found in the appendix. 

2 Distributed Algorithms 

By N = {0,1,2,...}, we denote the set of natural numbers. For n G N, we set [n] = {1,..., n} 
and [n]o = {0,1,..., n}. The set of finite words over an alphabet A is denoted by A*, and 
the set of nonempty finite words by A'^. 

Syntax of Distributed Algorithms. We consider distributed algorithms that run on 
arbitrary ring architectures. A ring consists of a finite number of processes, each having 
a unique process identifier (pid). Every process has a unique left neighbor (referred to 
by left) and a unique right neighbor (referred to by right). Formally, a ring is a tuple 
TZ = {n : pi,... ,Pn), given by its size n > 1 and the pids Pi G N assigned to process i G [n]. 
We require that pids are unique, i.e., pi yf pj whenever i j. For a process i < n, process 
i -|- 1 is the right neighbor of i. Moreover, 1 is the right neighbor of n. Analogously, if i > 2, 
then i — 1 is the left neighbor of i. Moreover, n is the left neighbor of 1. Thus, processes 1 and 
n must not be considered as the “first” or “last” process. Actually, a distributed algorithm 
will not be able to distinguish between, for example, (4 : 4,1,5,2) and (4 : 5, 2,4,1). 

One given distributed algorithm can be run on any ring. It is given by a single pro¬ 
gram I?, and each process runs a copy of T). It is convenient to think of 2? as a (finite) 
automaton. Processes proceed in synchronous rounds. In one round, every process ex¬ 
ecutes one transition of its program. In addition to the change of state, a process may 
optionally perform the following phases within a transition: (i) send some pids to its neigh¬ 
bors, (ii) receive pids from its neighbors and store them in registers, (iii) compare register 
contents with one another, (iv) update its registers. For example, consider the transition 
t = (s: leftir ; rightir' ; right?r' ;r < r' ;r := r'; goto s'). A process can execute t if it is in 
state s. It then sends the contents of register r to its left neighbor and the contents of r' to 
its right neighbor. If, afterwards, it receives a pid p from its right neighbor, it stores p in r'. 
If p is greater than what has been stored in r, it sets r to p and goes to state s'. Otherwise, 
the transition is not applicable. The first phase can, alternatively, be filled with a special 
command fwd. Then, a process will just forward any pid it receives. Note that a message 
can be forwarded, in one and the same round, across several processes executing fwd. 

Definition 1. A distributed algorithm T> = (S', sq, Reg, A) consists of a nonempty finite set S 
of (local) states, an initial state sq G S, a nonempty finite set Reg of registers, and a nonempty 
finite set A of transitions. A transition is of the form (s: send; rec; guard; update ; goto s') 
where s, s' G S and the components send, rec, guard, and update are built as follows: 

send ::= skip | fwd | leftir | rightir | leftir; rightlr' 
rec ::= skip | left?r | right?r | left?r; right?r' 
guard ::= skip | r < r' \ r = r' \ guard ; guard 
update ::= skip | r := r' \ update ■, update 
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states: active, passive 
found 

initial state: active 
registers: id, r, ri, r2 


ti = {active: left!id ; rightl/d ; left?ri; right?r2 ; ri < id ; r2 < id ; goto active) 

t2 = {active: _; id < ri ; goto passive) 

ts = {active: _ ; id < r2 ; goto passive) 

ti = {active: _; id = ri; r := id ; goto found) 

ts = {passive: fwd ; left?r ; goto passive) 


Figure 1 Franklin’s leader-election algorithm Oprankiin 


states: activeg, activei 
passive, found 
initial state: active^ 
registers: id,r,r',r" 


ti = {activeg: rightir ; left?r'; goto activef) 

t2 = {activei: rightir'; left?r" ■, r" < r' ■, r < r' ■, r := r '; goto activef) 

t^ = {activei: _; r' < r;goto passive) 

ti = {activei: „ _ r' < r" ;goto passive) 

t^ = {activei- _; r = r' ;goto found) 

tg = {passive: fwd ; left?r ; goto passive) 


Figure 2 Dolev-Klawe-Rodeh leader-election algorithm Odkr 


with r and r' ranging over Reg. We require that 

( 1 ) in a rec statement of the form left?r; right?r', we have r ^ r' (actually, the order of the 
two receive actions does not matter), and 

( 2 ) in an update statement, every register occurs at most once as a left-hand side. 


In the following, occurrences of “skip are omitted; this does not affect the semantics. <1 

Note that a guard r <r' can be simulated in terms of guards r < r' and r = r', using 
several transitions. We separate < and = for convenience. They are actually quite different 
in nature, as we will see later in the proof of our main result. 

At the beginning of an execution of an algorithm, every register contains the pid of the 
respective process. We also assume, wlog., that there is a special register id S Reg that 
is never updated, i.e., no transition contains a command of the form left?«(i, right?fd, or 
id := r. A process can thus, at any time, access its own pid in terms of id. 

In the semantics, we will suppose that all updates of a transition happen simultaneously, 
i.e., after executing r := r'r' := r, the values previously stored in r and r' will be swapped 
(and do not necessarily coincide). As, moreover, the order of two sends and the order of 
two receives within a transition do not matter, this will allow us to identify a transition 
with the set of states, commands (apart from skip), and guards that it contains. For 
example, t = (s: leftlr; rightir'; right?r' < r' \r := r' \ goto s') is considered as the set 
t = {s, leftlr, rightir', right?r' , r < r', r := r' , goto s'}. 

Before defining the semantics of a distributed algorithm, we will look at two examples. 


Example 2 (Franklin’s Leader-Election Algorithm). Consider Franklin’s algorithm Pprankiin to 
determine a leader in a ring 14 . It is given in Figure]^ The goal is to assign leadership 
to the process with the highest pid. To do so, every process sends its own pid to both 
neighbors, receives the pids of its left and right neighbor, and stores them in registers ri and 
r 2 , respectively (transitions ti,... ,^ 4 ). If a process is a local maximum, i.e., ri < id and 
r 2 < id hold, it is still in the race for leadership and stays in state active. Otherwise, it has 
to take t 2 or t^ and goes into state passive. In passive, a process will just forward any pid 
it receives and store the message coming from the left in r (transition t^). When an active 
process receives its own pid (transition < 4 ), it knows it is the only remaining active process. 
It copies its own pid into r, which henceforth refers to the leader. We may say that a run is 
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accepting (or terminating) when all processes terminate in passive or found. Then, at the 
end of any accepting run, (i) there is exactly one process ig that terminates in found, (ii) 
all processes store the pid of io in register r, and the pid of io is the maximum of all pids 
in the ring. Since, in every round, at least half of the active processes become passive, the 
algorithm terminates after at most [log 2 n\ +1 rounds where n is the number of processes. <1 

Example 3 (Dolev-Klawe-Rodeh Leader-Election Algorithm). The Dolev-Klawe-Rodeh leader- 
election algorithm is an adaptation of Franklin’s algorithm to cope with unidirectional 
rings, where a process can only, say, send to the right and receive from the left. The algorithm, 
denoted I?dkr, is given in Figure The idea is that the local maximum among the processes 
i — 2,i—l,iis determined by i (rather than i — 1). Therefore, each process i will execute 
two transitions, namely ti and t 2 , and store the pids sent by i — 2 and i — 1 in r" and r', 
respectively. After two rounds, since r still contains the pid of i itself, i can test if i — 1 is 
a local maximum among i — 2, i — 1, i using the guards in transition ^ 2 - If both guards are 
satisfied, i stores the pid sent by i — 1 in r. It henceforth ’’represents” process i — 1, which 
is still in the race, and goes to state active^. Otherwise, it enters passive, which has the 
same task as in Franklin’s algorithm. The algorithm is correct in the following sense: At 
the end of an accepting run (each process ends in passive or found), (i) there is exactly one 
process that terminates in found (but not necessarily the one with the highest pid), and (ii) 
all processes store the maximal pid in register r. The algorithm terminates after at most 
2 [log2 nj -I- 2 rounds. Note that the correctness of I?dkr is less clear than that of T^prankiin- < 

Semantics of Distributed Algorithms. Now, we give the formal semantics of a distrib¬ 
uted algorithm T) = {S, Sq, Reg, A). Recall that T> can be run on any ring TZ = {n : pi,... ,Pn)- 
An (7?.-)configuration of I? is a tuple (si,..., s„, pi,..., pn) where Si is the current state of 
process i and pi : Reg —>■ {pi ,... ,p„} maps each register to a pid. The configuration is called 
initial if, for all processes i G [n], we have Si = Sq and Pi{r) = Pi for all r G Reg. Note that 
there is a unique initial 7?.-configuration. 

In one round, the algorithm moves from one configuration to another one. This is described 
by a relation C C where C = (si,..., s„, pi,..., pn) and C = (s^,..., s(j, p\,..., p(j) are 
7?.-configurations and t= {t\,... ,tn) G A" is a tuple of transitions where ti is executed by 
process i. To determine when C C holds, we first define two auxiliary relations. For 
registers r,r' G Reg and processes i,j G [n], we write r@i ^ r'@j if the contents of r is sent 
to the right from i to j, where it is stored in r' . Thus, we require that 

rightir G ti A left?r' G tj A fwd G t^ for all k G Between{i,j) 

where Between{i,j) means {i + 1,..., j — 1} if i < j or {1,..., j — 1, * -I- 1,..., n} if j < i. 
Note that, due to the fwd command, r@i ^ r'@j may hold for several r' and j. The 
meaning of r'@j r@i is analogous, we just replace “right direction” by “left direction”: 

leftir G ti A right?r' G tj A fwd G tk for all k G Between{j,i). 

The guards in the transitions are checked against “intermediate” register 

assignments pi, ... ,pn : Reg —> {pi, ... ,p„}, which are defined as follows: 




Pi{r) if r@i ^ r'@j or r'@j ^ r@i 

Pj{r') if, for all r,i, neither r@i ^ r'@j nor r'@j r@i 


Note that this is well-defined, due to condition (1) in Definition 

Now, we write C C if, for all j G [n] and r, r' G Reg, the following hold: 


5 




AO 

AO 











= 1 

2 , 

3 

4 

5 , 

6 

7 

active^ \ 

( activeo • ^ 

^ activeo 

f activeo "5 f 

activeo • "5 7 

activeo "5 

f activeo 

4 4 4 7 

00 

00 

00 

CO 

CO 

CO 

J 

1 1 1 1 Jl 

6 6 6: Jl 

5 5 5 J 

1 7 7 7 


rightlr 
left?r' 
activei 
4 7 4 

rightlr' 
left?r" 
{r", r} < r' 
r := r' 
activEo 

7 7 5 

right !r 

left?r' 
activei 
7 6 5 

rightlr' 
left?r" 
r' < r" 


rightlr 

left?r' 
activei 
8 4 8 

rightlr' 
left?r" 
r' < r 

passive 
8 4 7 

twd 

left?r 
passive 
7 4 7 

fwd 

left?r 


rightlr 
left?r' 
activei 
3 8 3 

rightlr' 
left?r" 
{r", r} < r' 
r := r' 

ach’'t;eo 
8 8 4 

rightlr 

left?r' 


rightlr 

left?r' 
activei 
1 3 1 

rightlr' 

left?r" 
r' < r" 

pass4’i;e 

1 3 8 

twd 

O 


rightlr 
left?r' 
activei 
6 1 6 

rightlr' 
Ieft?r" 
r' < r 

passive 
6 1 3 

twd 

left?r 


rightlr 

left?r' 

activei 

5 6 5 

rightlr' 
left?r" 
,{r", r} < r' 
r := r' 
active^ 

6 6 1 
rightlr 
left?r' 


activei 
8 7 4 


passive 
8 3 8 


fwd 

left?r 


passive 
8 1 3 


fwd 

left?r 


activei 
6 8 1 


rightlr' 

left?r" 
(r", r} < r' 


rightlr 
left?r' 
activei 
7 5 7 

rightlr' 
left?r" 
r' < r 

passive 
7 5 6 

fwd 
left?r 
passive 
6 5 6 

fwd 

left?r 


^ yv-rr-rr-rr-7 

\ y \ J 

passive ^ 

f passive \ 

f passive ^ f 

passive ^ 

f passive 

f activeo 

f passive "5 

7 6 8 j 

1 6 4 7 J 

"A 

CO 

00 

7 3 8 J 

1 7 1 3 J 

1 8 8 7 J 

1 8 5 6 J 

fwd S 

1 fwd S 

f fwd 'N ^ 

fwd S 

? fwd S 

f rightlr ) 

? fwd S 

left?r J 

left??- J 

^ left?r 

left?r J 

left?r J 

left?r' ) 

left?r J 


passive 


passive 
8 4 7 


passive 
8 7 6 


passive 
8 3 8 


passive 
8 1 3 


activei 
8 8 7 


passive 
8 5 6 


fwd 

left?r 


fwd 

left?r 


fwd 

left?r 


fwd 

left?r 


rightlr' 

left?r" 
r = r' 


fwd 

left?r 


passive 
8 6 8 


passive \ f passive 
8 4 7 Jl 8 7 6 


passive 
8 3 8 


passive 
8 1 3 


found 
8 8 8 


passive 
8 5 6 




0,1 t 1,2 

msgfy updf,y 


,1,2 ,2,0 

' nextf, 


1 0,1 
loC^ly 


next" 


& 

: 2,0 


0,1 ,1,2 

O * 


loc^ 


0,1 


e 


loc\ 

'W^ 

,2,0 


,0,1 


0,1 


next^’° Tnsgly upd]:i^^, nextl'°y msg\ 

© * O * " © * “©■ 


Figure 3 Run of Dolev-Klawe-Rodeh algorithm and runs of path automata 


1 . 

2 . 

3. 

4. 


Sj G tj and (goto s') G tj, 

Pjir)<P 3 {r') ii{r<r')etj, 

Pjir)=Pj{r') ii{r = r’)etj, 

= if(r:=r')Gt, 

^ 1 Pj (r) if tj does not contain an update of the form r := r" 


Again, 4. is well-defined thanks to condition (2) in Definition 

^1 ^2 

An (TZ-) run of I? is a sequence x = Co Ci Ct where k > 1, Cq is the initial 

7?.-configuration, and P = ... ,t{^) G A” for all j G [k]. We call k the length of x- Note 

that X uniquely determines the underlying ring TZ. 


Remark 4. A receive command is always non-blocking even if there is no corresponding send. 
As an alternative semantics, one could require that it can only be executed if there has been 
a matching send, or vice versa. One could even include tags from a finite alphabet that can 
be sent along with pids. All this will not change any of the forthcoming results. <1 

Example 5. A run of I?dkr from Examplej^on the ring 7^ = (7 : 4,8,3,1, 6 ,5,7) is depicted 
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in Figure]^ (for the moment, we may ignore the blue and violet lines). A colored row forms 
a configuration. The three pids in a cell refer to registers r,r',r'\ respectively (we ignore id). 
Moreover, a non-colored row forms, together with the states above and below, a transition 
tuple. When looking at the step from to C 4 , we have, for example, r'@3 ^ r@4 and 
r'@3 ^ r"@ 6 . Moreover, r '@6 ^ r@7 and r '@6 ^ r"@l (recall that we are in a ring). Note 
that the run conforms to the correctness property formulated in Example In particular, in 
the final configuration, all processes store the maximum pid in register r. <\ 


3 The Specification Language 


In Examples and we informally stated the correctness criterion for the presented 
algorithms (e.g., “at the end, all processes store the maximal pid in register r”). Now, we 
introduce a formal language to specify correctness properties. It is defined wrt. a given 
distributed algorithm V = (S', sq, Reg, A), which we fix for the rest of this section. 

Typically, one requires that a distributed algorithm is correct no matter what the 
underlying ring is. Since we will bound the number of rounds, we moreover study a form of 
partial correctness. Accordingly, a property is of the form 'drings^runs^mg^i which has to be 
read as “for all rings, all runs, and all processes m, we have tp”. The marking m is used to 
avoid to “get lost” in a ring when writing the property Lp. This is like placing a pebble in 
the ring that can be retrieved at any time. Actually, ip allows us to “navigate” back and 
forth (t and ),) in a run, i.e., from one configuration to the previous or next one (similar 
to a temporal logic with past operators). By means of •<— and —we may also navigate 
horizontally within a configuration, i.e., from one process to a neighboring one. 

Essentially, a sequence of configurations is interpreted as a cylinder (cf. Figure]^ that 
can be explored using regular expressions tt over {e, f, i} (where e means “stay”). At 

a given position/coordinate of the cylinder, we can check local (or positional) properties like 
the state taken by a process, or whether we are on the marked process m. Such a property 
can be combined with a regular expression tt: The formula [ 7 r](/j says that p holds at every 
position that is reachable through a 7 r-path (a path matching tt). Dually, {tt)^ holds if there 
is a TT-path to some position where p is satisfied. The most interesting construct in our logic 
is ( 7 r)r ixi {'K')r', where cc G <, <}, which has been used for reasoning about XML 

documents pjp 12 . It says that, from the current position, there are a 7 r-path and a 7 r'-path 


that lead to positions y and y', respectively, such that the pid stored in register r at y and 
the pid stored in r' at y' satisfy the relation [xi. 

We will now introduce our logic in full generality. Later, we will restrict the use of <- 
and <-guards to obtain positive results. 


Definition 6. The logic DataPDL(I?) is given by the following grammar: 


■■— '^rings^runs^mP 

p,p'::=m \ s \ —^p \ p l\p' \ p ^ p' \ ['k]p \ (7r)r ixi (7r')r' 

TT, 7 rA:= {tp}? I d I TT-|- TT^ I TT • TT^ I TT* 

where s G S, r,r' G Reg, cxi G {=, yf, <, <}, and d G {e, —>■, t, i}- < 

We call p a local formula, and tt a path formula. We use common abbreviations such as 
false = m A ^m, {tt)p = -^[tt]-'P, and pVp' = ~'{~'P A ~^p'), and we may write tttt' instead 
of TT • tt'. Implication is included explicitly in view of the restriction defined below. 

Next, we define the semantics. Consider a run y = Co Ci ... ~^ of I? where 
Cj = (sj,..., p),..., pR), i.e., n is the number of processes in the underlying ring. A local 
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formula ip is interpreted over x '"'"rt. a marked process m € [n\ and a position (i,j) € Pos(x) 
where Pos{x) = x [fc]o- Let us define when Xj (l j) H ^ holds. The operators A, 
and => are as usual. Moreover, x, w, (i, j) ^ m if i = m, and Xj "m-, ihj) H if = S- 

The other local formulas use path formulas. The semantics of a path formula tt is given in 
terms of a binary relation C Pos{x) x Pos{x)i which we define below. First, we set: 

• \= ['K]ip if V(i',/) such that ((i, j), (^',/)) G Wx.m, we have x,m,{i',j') ^ ‘P 

• X,™, (*,j) h {T^)r cx ( 7 r')r' (where oo G {=, y^,<,<}) if ( 12 ,^ 2 ) such that 

((Aj),(*i,Ji)) G and ((*, j), ( 12 , J 2 )) G and p^((r) ixipg(r') 

It remains to define [tt]^ „j for a path formula tt. First, a local test and a stay e 
do not “move” at all: |{v5}?lx,m = {{x,x) \ x G Pos{x) such that Xt 1 xi,x ^ <p}, and 
[elx,™ = {( 2 :, a;) | x G Pos{x)}- Using —>•, we move to the right neighbor of a process: 
Mx.m = {((bj), (* + l,i)) I * G [n- 1] and j G [fc]o} U {((n, j), (1, j)) | j G [A:]o}. We define 
Mx.m accordingly. Moreover, |ilx,m = {((bj), (b j + 1)) | * G [n] and j G [fc - l]o}, and 
similarly for |tlx,m- The regular constructs, +, •, and * are as expected and refer to the 
union, relation composition, and star over binary relations. 

Finally, V satisfies the DataPDL formula yrings^runs^mP, written V |= yring^mns^mP, if, 
for all rings TZ = {n : ...), all 7^-runs x, and all processes to G [n], we have x, ni, (to, 0) |= (p. 
Thus, ip is evaluated at the first configuration, wrt. all processes to. 

Next, we define a restricted logic, DataPDL®(I?), for which we later present our main 
result. We say that a path formula tt is unambiguous if, from a given position, it defines at most 
one reference point. Formally, for all rings TZ = (n : .. 7?.-runs x of T>, processes to G [n], 
and positions x G Pos{x), there is at most one x' G Pos{x) such that {x,x') G For 

example, e, 4 ,, —t, and — >'*{m}? are unambiguous, while —>■* and <—I —> are not unambiguous. 

Definition 7. A DataPDL(I?) formula is contained in DataPDL® (I?) if every subformula 
p = ( 7 r)r ixi ( 7 r')r' with ixi G {<,<} is such that tt and tt' are unambiguous. Moreover, p 
must not occur (i) in the scope of a negation, (ii) on the left-hand side of an implication 
or (iii) within a test {_}?• Note that guards using = and ^ are still unrestricted. <1 

Example 8. Let us formalize, in DataPDL®(I?), the correctness criteria for Pprankiin and 
T’dkr that we stated informally in Examples and Consider the following local formulas: 

^last Pmax [ ^ ]((^)^*^ — (^found)^’) 

Pscc = [-^*]{passive V found) Pr=id = (TTfound) ((e)r = {e)id) 

^found — (^found ^({ found^T k) )m Pr—r — ~'((^)^ ^ ^ )^) 

where TTfound = {{^found}!^)*{found}! . Note that TTfound is unambiguous: while going to 
the right, it always stops at the nearest process that is in state found. Thus, i^max is indeed 
a local DataPDL® formula. Consider the DataPDL® formula 

— t4^mgst/runst/m ['1' (((^^last A Pbcc) (^found A :prnax A Pr—r A Pr—id}) • 

It says that, at the end (i.e., in the last configuration) of each accepting run, expressed by 
[i*]((<i 2 ia 5 t A p^cf) ^ ...), we have that 

(i) there is exactly one process io that ends in state found (guaranteed by v^found), 

(ii) register r of zq contains the maximum over all pids (^^max), 

(iii) register r of zq contains the pid of zq itself {pr=id), and 

(iv) all processes store the same pid in r {pr=r)- 


Thus, I^Frankiin |= ^ 1 - On the Other hand, we have I?dkr ^ because in Pdkr the process 
that ends in found is not necessarily the process with the maximum pid. However, we still 
have I?dkr H ‘^’2 where 

— t4^mgst/runst/m ['I' ]((92|ast ^ ^acc) (^found ^ ^max ^ ^r—r)) ■ 

The next example formulates the correctness constraint for a distributed sorting algorithm. 
We would like to say that, at the end of an accepting run, the pids stored in registers r are 
strictly totally ordered. Suppose (pacc represents an acceptance condition and (/7|east says that 
there is exactly one process that terminates in some dedicated state least, similarly to tpfound 
above. Then, 

— ^rings^runs Vm[^^ ]((‘Piast A yJacc) (‘^least A [—>■ {^feast}?]((t—)r < (e)r))^ 

makes sure that, whenever process j is not terminating in least, its left neighbor i stores a 
smaller pid in r than j does. 

Note that <&!, <1)2, and <1>3 are indeed DataPDL® formulas. <1 

Unsurprisingly, model checking distributed algorithms against DataPDL® is undecidable: 

Theorem 9. The following problem is undecidable: Given a distributed algorithm T) and 
<I> £ DataPDL® (I?), do we have V \= ^ ? (Actually, this even holds for formulas <1> that 
express simple state-reachability properties and do not use any guards on pids.) 


4 Round-Bounded Model Checking 


In the realm of multithreaded concurrent programs, where model checking is undecidable 
in general, a fruitful approach has been to underapproximate the behavior of a system 20 


The idea is to introduce a parameter that measures a characteristic of a run such as the 
number of thread switches it performs. One then imposes a bound on this parameter and 
explores all behaviors up to that bound. In numerous distributed algorithms, the number 
b of rounds needed to conclude is exponentially smaller than the number of processes (cf. 
Examples and [^ . Therefore, b seems to be a promising parameter for bounded model 
checking of distributed algorithms. 

For a distributed algorithm V, a formula <& = yrings^runs^mT ^ DataPDL(I?), and 6 > 1, 
we write V \=i, ^ if, for all rings TZ = {n : .. all 7?.-runs x of length k < b, and all processes 
m G [n], we have Xj w, (m, 0) \= gr. We now present our main result: 

Theorem 10. The following problem is PSPACE-complete: Given a distributed algorithm T), 
<I> G DataPDL®(I?), and a natural number b> 1 (encoded in unary), do we have V \=b ^ ? 

The lower-bound proof, a reduction from the intersection-emptiness problem for a list 
of finite automata, can be found in the appendix. Before we prove the upper bound, let 
us discuss the result in more detail. We will first compare it with “naiVe” approaches to 
solve related questions. Consider the problem to determine whether a distributed algorithm 
satisfies its specification for all rings up to size n and all runs up to length b. This problem 
is in coNP: We guess a ring (i.e., essentially, a permutation of pids) and a run, and we check, 
whether the run does not satisfy the formula. Next, suppose only b is given and 
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using 

the question is whether, for all rings up to size 2^ and all runs up to length b, the property 
holds. Then, the above procedure gives us a coNEXPTIME algorithm. 

Thus, our result is interesting complexity-wise, but it offers some other advantages. First, 
it actually checks correctness (up to round number b) for all rings. This is essential when 
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verifying distributed protocols against safety properties. Second, it reduces to a satisfiability 
check in the well-studied propositional dynamic logic with loop and converse (LCPDL) [15] , 
which in turn can be reduced to an emptiness check of alternating two-way automata (A2As) 
over words 23 . The “naive” approaches, on the other hand, do not seem to give rise to 


viable algorithms. Finally, our approach is uniform in the following sense: We will construct, 
in polynomial time, an A2A that recognizes precisely the symbolic abstractions of runs (over 
arbitrary rings) that violate (or satisfy) a given formula. Our construction is independent of 
the parameter b. The emptiness check then requires a bound on the number of rounds (or on 
the number of processes), which can be adjusted gradually without changing the automaton. 

Proof Outline for Upper Bound of Theorem |10[ Let V be the given distributed 
algorithm and G DataPDL® (P). We will reduce model checking to the satisfiability 
problem for LCPDL [^. While DataPDL® is interpreted over runs, containing pids from an 
infinite alphabet, the new logic will reason about symbolic abstractions over a finite alphabet. 
A symbolic abstraction of a run only keeps the transitions and discards pids. Thus, it can be 
seen as a table (or picture) whose entries are transitions (cf. Figure]^. 

First, we translate V into an LCPDL formula. Essentially, it checks that guards are 
not used in a contradictory way. To compare V with $, the latter is translated into an 
LCPDL formula, too. However, there is a subtle point here. For simplicity, let us write 
r < r' instead of (e)r < (e)r'. Satisfaction of a formula r < r' can only be guaranteed in 
a symbolic execution if the flow of pids provides evidence that r < r' really holds. More 
concretely, the (hypothetic) formula (r < r') V (r = r') V (r' < r) is a tautology, but it may 
not be possible to prove any of its disjuncts on the basis of a symbolic run. This is the reason 
why DataPDL® restricts <- and <-tests. It is then indeed enough to reason about symbolic 
runs (cf. Lemma [I^ below). We leave open whether one can deal with full DataPDL. 

Overall, we reduce model checking to satisfiability of the conjunction of two LCPDL 
formulas of polynomial size: the formula representing the algorithm, and the negation of 
the formula representing the specification. Satisfiability of LCPDL over symbolic runs (of 


bounded height) can be checked in PSPACE 15 by a reduction to the emptiness problem for 
A2As over words [^. Our approach is, thus, automata theoretic in spirit, though the power 
of alternation is used differently than in 22 , which translates LTL formulas into automata. 


Next, we present the logic LCPDL over symbolic runs. Then, in separate subsections, we 
translate V as well as its DataPDL® specification into LCPDL. For the remainder of this 
section, we fix a distributed algorithm V = (A, sqj Reg, A). 


PDL with Loop and Converse (LCPDL). As mentioned before, a symbolic abstraction 
of a run of I? is a table, whose entries are transitions from the finite alphabet A. A table is 
a triple T = {n,k,X) where n,k>\ and A : Pos{T) -G A labels each position/coordinate 
from Pos(T) = [n] x [/c]o with a transition. Thus, we may consider that T has n columns 
and k -\-1 rows. In the following, we will write T[i,j\ for X{i,j), and T[i\ for the i-th column 
of T, i.e., T[i] = T[i, 0]... T[i, k] G A+. Let A++ denote the set of all tables. 

Formulas ip G LCPDL(I?) are interpreted over tables. Their syntax is given as follows: 


Ip, Ip' ::= t \ s \ goto s \ fwd | leftlr | rightir | left?r | right?r \ r < r' \ r = r' \ r := r' \ 
-^ip \ Ip Alp' I {tt)iP I loop(7r) 

TT, tt' ::= {'?/’}? I d I TT -b tt' I TT • tt' I TT* I 7r“^ I A 

where t G A, s G S, r,r' G Reg, d G {e, -A ,),}, and A is a path automaton: a non-deterministic 
finite automaton whose transitions are labeled with path formulas tt. Again, ip is called a 
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’ I {false}? if r 7^ r' 


{Ar5^r^(’'■= 0}? ifr = r' 
{r' := r}? if r 7^ r' 


msg 


, 0.1 _ 


{rightlr}? ■ -{fwd}?)*- ^ -{leftTr'}? 

+ {leftlr}? • (-(-J -{fwd}?)*- ^ -{rightTr'}? 

Figure 4 Path formulas to trace back transmission of pids 


next^’^, = 

r,r 


li 


if r = r' 


{false}? if r 7^ r' 


local formula. We use common abbreviations to include disjunction, implication, true, and 
false, and we let 7r+ = tt • tt*, [njif = ^(7r)-''(/i, (tt) = {TT)true, ^ and f = 

The semantics of LCPDL is very similar to that of DataPDL. A local formula ip is 
interpreted over a table T = (n, k, A) and a position x € Pos{T). When it is satisfied, we write 
T,x \= tjj. Moreover, a path formula tt determines a binary relation IttJt C Pos{T) x Pos{T), 
relating those positions that are connected by a path matching tt. 

We consider only the most important cases: We have T, {i,j) |= t if T[i,j] = t. For a 
state, command, guard, or update 7 , let T, {i,j) ^ 7 if 7 G T[i,j]. Loop and converse are 
as expected: T,x \= loop( 7 r) if {x,x) G IttJt, and = {{y,x) \ {x,y) G IttJt}. The 

semantics of —>■ (and is slightly different than in DataPDL, since we are not allowed to go 
beyond the last and first column. Thus, |—tjr = {((b (* + 1, j)) | i G [n—1] and j G [A:]o}- 

However, we can simulate the “roundabout” of a ring and set t + {“>(—)}? 

as well as Actually, the first column of a table will play the role of a marked 

process in a ring (later, m will be translated to ^(^)). 

Finally, the semantics of path automata is given by |AI]t = {{x, y) \ there is tti ... G 
L{A) with (cc, y) G [tti • ... • where L{A) contains a sequence tti ... of path formulas 
if A admits a path qq qi qi from its initial state qo to a final state qe- 

A formula A G LCPDL(I?) defines the language L{ijj) = {T G A++ | T, (1,0) \= tp}. For 
6 > 1, we denote by L&(A) the set of tables (n, k, A) G L('0) such that k < b. 

Theorem 11 (essentially [^). The following problem is PSPACE-complete: Given a distrib¬ 
uted algorithm V, a formula ip G LCPDL(I?), and b > 1 (encoded in unary), do we have 
Lbigp) = 0 ? (The input T> is only needed to determine the signature of the logic.) 

Prom Distributed Algorithms to LCPDL. Wlog., we assume that A contains t = 
(s: skip ; skip ; skip ; skip ; goto sq) where s 7 I sq does not occur in any other transition. 

Let TZ = {n : pi,... ,pn) be a ring and y = Cq Ci Cu be an 7?,-run of 

T), where P = {t\,... ,tK) G A” for all j G [fc]. From y, we extract the symbolic run 
T^ = {n,k,\) G A++ given by its columns T^[i] = tt\ .. .t^. The purpose of the dummy 
transition t at the beginning of a column is to match the number of configurations in a run. 

We will construct, in polynomial time, a formula ip'D G LCPDL(I?) such that L{'ipx') = 
{T^ I y is a run of T)}. In particular, 'ipx) will verify that (i) there are no cyclic dependencies 
that arise from <-guards, and (ii) registers in equality guards can be traced back to the same 
origin. In that case, the symbolic run is consistent and corresponds to a “real” run of T). 

The main ingredients of ip-D are some path formulas that describe the transmission of 
pids in a symbolic run. They are depicted in Figure For 9 G {loc, msg, upd, next} and 
h G {0,1,2}, the meaning of {x,y) G I't stored in r at stage h of 

position/transition x has been propagated to register r' at stage h' of y. Here, h = 0 means 
“after sending”, h = 1 “after receiving”, and h = 2 “after register update”. The interpretation 
of “propagated” depends on 9. Formula loc^'l, says that the value of register r is not affected 
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by reception. Similarly, updl.'^, takes care of updates. Formula next^'^, allows us to switch to 
the next transition of a process, preserving the value of r(= r'). The most interesting case 
is which describes paths across several processes. It relates the sending of r and 

a corresponding receive in r', which requires that all intermediate transitions are forward 
transitions. All path formulas are illustrated in Figure 

Since pids can be transmitted along several transitions and messages, the formulas 9^’^, 
will be composed by path automata. For h G {1,2} and r G Reg^ we define a path automaton 
Ar that, in T^, connects some positions (qO) and iff, in y, register r stores pi at 

stage h of position {i',j'). Its set of states is t U ({0,1, 2} x Reg). For all r G Reg, there is a 
transition from the initial state t to (0, r) with transition label {^(t)}?- Thus, the automaton 
starts at the top row and non-deterministically chooses some register r. From state {h,r), it 
can read any transition label and move to {h', r'). The only final state is (h, r). Figure]^ 
describes (partial) runs of A]., and A}/,, which allow us to identify the origin of r' and r" 
when applying the guard r' < r". 

Now, consistency of equality guards can indeed be verified by an LCPDL formula. It says 
that, whenever an equality check r = r' occurs in the symbolic run, then the pids stored in 
r and r' have a common origin. This can be conveniently expressed in terms of loop and 
converse. Note that guards are checked at stage h = 1 of the corresponding transition: 

= [H + i)1 Ar.r-'Gfles(^= ^ l00p( (A}) " ^ • A}, )) • 

The next path formula connects the first coordinate of a process i with the first coordinate 
of another process i' if some guard forces the pid of i to be smaller than that of i': 

= i^ryaReg^l ' ' 

Note that, here, we use the (strict) transitive closure. Consistency of <-guards now reduces 
to saying that there is no 7r<-loop: '(/'< = “'(“t*)loop(7r<). 

Finally, we can easily write an LCPDL formula '0coi that checks whether every column 
T[i] G A+ (ignoring t) is a valid transition sequence of V. Finally, let V'd = '!/'= ^ Ax ^ Acoi- 

Lemma 12. We have L{'tpx>) = {T^ I X a ofV}. 

Prom DataPDL® to LCPDL. Next, we inductively translate every local DataPDL®(I?) 
formula tp into an LCPDL(I?) formula tp. The translation is given in Figure]^ As mentioned 
before, the first column in a table plays the role of a marked process so that fh = The 

standard formulas are translated as expected. Now, consider ( 7 r)r < ( 7 r')r' (the remaining 
cases are similar). To “prove” ( 7 r)r < {'K')r' at a given position in a symbolic run, we require 
that there are a 7 r-path and a Tr'-path to coordinates x and x', respectively, whose registers r 
and r' satisfy r < r'. To guarantee the latter, the pids stored in r and r' have to go back to 
coordinates that are connected by a 7 r<-path. Again, using converse, this can be expressed 
as a loop (cf. Figure]^. Note that, hereby, A^ and A^, refer to stage h = 2, which reflects 
the fact that DataPDL speaks about eonfigurations (determined after updates). 

Lemma 13. Let T G {T^ \ x is a run ofD} and <p be a local DataPDL®(I?) formula. We 
have T, (1, 0) ^ ^ (y, 1, (1, 0) \= ip for all runs x of V such that = T). 

Using Lemmas |12| and [T^ we can now prove Lemma [T^ below. Together with Theorem |11| 
the upper bound of Theorem [T0| follows. 

Lemma 14. Let D be a distributed algorithm, $ = yrings^runs^m’P G DataPDL®(I?), and 
b> 1. We have (a) V \= ^ L{'ipx> A -^ip) = 0, and (b) 12 |=b 4) Lh{ipxi A -^ip) = 0. 
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m = “'(<—} s = goto s for all s £ S 

-,(p = -tip (pi A (P2 = </5l A lfi2 (pi (^2 = ipi => ^32 [7r](p = [7r]ip 

(7r)r < (7r')r' = loop(7f • (.4^)“^ • 7r< • A% ■ 

{n)r < {'K')r' = loop(7f • (.4^)“^ • (7r< + e) • A^i ■ 

(7r)r = (7r')r' = loop(7f • (.4^)“^ • A% ■ 

{n)r / {n')r' = loop(7f • (-4^)“^ • (■«—^ + —• A^i ■ 

TT is inductively obtained from n by replacing tests {(p}? by {<p}?, 

—>■ by and •(— by 

Figure 5 From DataPDL® to LCPDL 





5 Conclusion 

In this paper, we provided a conceptually new approach to the verification of distributed 
algorithms that is robust against small changes of the model. 

Actually, we made some assumptions that simplify the presentation, but are not crucial 
to the approach and results. For example, we assumed that an algorithm is synchronous, 
i.e., there is a global clock that, at every clock tick, triggers a round, in which every process 
participates. This can be relaxed to handle communication via (bounded) channels. Second, 
messages are pids, but they could contain message contents from a finite alphabet as well. 
Though the restriction to the class of rings is crucial for the complexity of our algorithm, 
the logical framework we developed is largely independent of concrete (ring) architectures. 
Essentially, we could choose any class of architectures for which LCPDL is decidable. 

We leave open whether round-bounded model checking can deal with full DataPDL, or 
with properties of the form yrings^run ^which are branching-time in spirit. 


References 

1 R. Alur and P. Cerny. Streaming transducers for algorithmic verification of single-pass 
list-processing programs. In POPL’ll, pages 599-610. ACM, 2011. 

2 R. Alur, P. Cerny, and S. Weinstein. Algorithmic analysis of array-accessing programs. 
ACM Trans. Comput. Logic, 13(3):27:l-27:29, August 2012. 

3 B. Aminof, S. Jacobs, A. Khalimov, and S. Rubin. Parameterized model checking of token¬ 
passing systems. In VMCAFl^, volume 8318 of LNCS, pages 262-281, 2014. 

4 M. Benedikt, W. Fan, and F. Geerts. XPath satisfiability in the presence of DTDs. J. 
ACM, 55(2), 2008. 

5 M. Bojanczyk, A. Muscholl, T. Schwentick, and L. Segoufin. Two-variable logic on data 
trees and XML reasoning. J. ACM, 56(3), 2009. 

6 B. Bollig, A. Cyriac, P. Gastin, and K. Narayan Kumar. Model checking languages of data 
words. In FoSSaCS’12, volume 7213 of LNCS, pages 391-405. Springer, 2012. 

7 M. Chaouch-Saad, B. Charron-Bost, and S. Merz. A reduction theorem for the verification 
of round-based distributed algorithms. In RP’09, volume 5797 of LNCS, pages 93-106. 
Springer, 2009. 

8 E. M. Clarke, O. Grumberg, and D. Peled. Model checking. MIT Press, 2001. 

9 D. Dolev, M. M. Klawe, and M. Rodeh. An 0(n log n) unidirectional distributed algorithm 
for extrema finding in a circle. J. Algorithms, 3(3):245-260, 1982. 

10 E. A. Emerson and K. S. Namjoshi. On reasoning about rings. Int. J. Found. Comput. 
Sci., 14(4):527-550, 2003. 


13 



11 J. Esparza. Keeping a crowd safe: On the complexity of parameterized verification. In 
STACS’14, volnme 25 of LIPIcs, pages 1-10, 2014. 

12 D. Figueira and L. Segonfin. Bottom-np antomata on data trees and vertical XPath. In 
STACS’ll, volnme 9 of LIPIcs, pages 93-104, 2011. 

13 W. Fokkink. Distributed Algorithms: An Intuitive Approach. MIT Press, 2013. 

14 R. Franklin. On an improved algorithm for decentralized extrema hnding in circular con- 
hgurations of processors. Commun. ACM, 25(5):336-337, 1982. 

15 S. Goller, M. Lohrey, and C. Lutz. PDL with intersection and converse: satishability and 
inhnite-state model checking. J. Symh. Log., 74(1):279-314, 2009. 

16 I. Konnov, H. Veith, and J. Widder. Who is afraid of model checking distributed al¬ 
gorithms?, 2012. 

17 I. Konnov, H. Veith, and J. Widder. On the completeness of bounded model checking 
for threshold-based distributed algorithms: Reachability. In CONCUR’14, volume 8704 of 
LNCS, pages 125-140. Springer, 2014. 

18 M. Lange. Model checking propositional dynamic logic with all extras. J. Applied Logic, 
4(l):39-49, 2006. 

19 N. A. Lynch. Distributed Algorithms. Morgan Kaufmann Publishers Inc., 1996. 

20 S. Qadeer and J. Rehof. Context-bounded model checking of concurrent software. In 
TACAS’05, volume 3440 of LNCS, pages 93-107. Springer, 2005. 

21 T. Tan. Extending two-variable logic on data trees with order on data values and its 
automata. ACM Trans. Comput. Log., 15(1):8, 2014. 

22 M. Y. Vardi. An automata-theoretic approach to linear temporal logic. In Logics for 
Concurrency, volume 1043 of LNCS, pages 238-266. Springer, 1996. 

23 M. Y. Vardi. Reasoning about the past with two-way automata. In ICALP’98, LNCS, 
pages 628-641. Springer, 1998. 


14 



A Proof of Theorem 

The following remark will be exploited in the proof of Theorem and for the lower-bound 
proof of Theorem [Tol 

Remark 15. Note that the only way to communicate information from one process to another 
is by exchanging and comparing pids. However, we can simulate the exchange of messages 
from a finite alphabet B = {bi,... ,bk} that can be compared for equality. 

Assume a ring TZ = {n : pi,... ,Pn)- A possible protocol for simulation can employ a 
leader election algorithm first. Afterwards, the leader identifies k distinct pids (say the k 
closest pids on its left), and transmits them to all other processes who keep them in dedicated 
registers fi,..., . After this initialization phase, the actual simulation can take place with 

the convention that message bj is identified by the pid in fj (of any process). In order for 
the simulation to work, we have to require that n > k. 

The drawback of the above protocol is that the initialization phase requires log(n) rounds. 
Below we describe another protocol where the initialization can be achieved in k rounds. 

Assume a ring TZ = {n : pi,... ,pn) and that n > k. Each process has fc -|- 1 dedicated 
registers fg,... ,ffc. After the initialization (described below), for each process i, register Vj 
holds pi-j (modulo n). Thus f-j of process i holds the same value as fj+i of process i + 1. 

Conventions. To send message bj to left, a process simply sends the contents of rj. On 
the other hand, to send message bj to right, it sends the contents of fj-i. When a process 
receives a message from the left, it compares it with registers fi,..., and if it matches Vj 
then the message is interpreted as bj. On receiving from right, on contrary, it is compared to 
fg,... Tk-i, and if it matches fj then the message is interpreted as 6j+i. 

Initialization. It uses k + 1 control states sg,..., Sfc. At sg, all registers have self pid. 
This fills in the correct value for fg. In round j, a process moves from Sj-i to Sj, sending 
Tj-i to the right and receiving in rj from the left. 

Notice that this simulation cannot be used to forward a message to another process using 
fwd-commands in between. However, the lower bound proofs presented below do not rely 
on fwd-commands. <1 

Proof of Theorem [51 We give a reduction from the halting problem of Turing machines. 
It is equivalent to checking whether a given Turing machine TM can never reach a specific 
target state (call it halt) on any (some) input. Let ^tm be the set of control states of a 
Turing machine. Let Bjm be the tape alphabet of the Turing Machine. Wlog., we assume 
that the TM starts on the empty tape. From the empty tape, it may simulate an arbitrary 
input using non-determinism. We also assume that, on reaching the state halt, it writes 
HALT in the current cell. Thus halt £ iStm and halt £ Bjm. We describe the distributed 
algorithm Ptm • 

Intuitively, the number of processes in the ring gives an upper bound to the space needed 
by the Turing machine. Every process will correspond to a cell in the Turing machine’s 
work tape. Since there is no specific starting process for a ring, we run a leader election 
algorithm first, and the leader will act as the leftmost cell of the tape. The f-th process to 
the right of the leader acts as the f-th tape cell. The local state of processes indicate the 
corresponding cell contents. It also indicates whether the head is currently present at the 
respective cell. Thus the local states are pairs of the form (sym,head) where sym £ Bjm 
indicates the content of a tape cell, and head is a boolean value denoting the presence of the 
head of the Turing machine at the current cell. Initially, only the leader process has the head 
bit set true. In the simulation, only the process with head = true can send messages, and 
once it emits a message, the head bit is turned false. The process that receives the message 
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turns the head bit true. The message alphabet (cf. Remark 151 is S'tm which denotes the 
target control state upon simulating one transition of the Turing machine. The control state 
of the TM is stored in a designated register Cgtate- 

We describe the construction in detail now. There are two preliminary phases to facilitate 
the actual simulation. In phase 1, the processes agree upon the message alphabet S'tm as 

This phase requires I^tmI + 1 registers and local states. Recall 


described in Remark 15 


that the ring must have size bigger than |S'tivi| for simulating the encoding described in 
Remark Otherwise, the distributed algorithm will be blocked in this phase. However, our 
reduction would still work because of two reasons. First, our specification will be true for 
rings smaller than this threshold. This is, in a sense, reducing the model-checking problem 
with VrtngsVr-nnsVm prefix to another model-checking problem where the prefix is rephrased to 
“All rings of size bigger than €' (here, £ = IS'tmI)- Second, the run which uses only a small 
amount of tape can be simulated on a big tape. (It maintains the unnecessary cells on the 
right with the empty tape symbol always. In our simulation these processes will be in the 
state ($,/afee).) Notice that, the number of processes in the ring is only an upper bound of 
(rather than exact) space needed by the Turing machine. 

Phase 2 simulates a leader-election protocol, say, the Dolev-Klawe-Rodeh algorithm. The 
pid of the leader is stored in all processes in a special register Header- Recall that the leader 
process will act as the leftmost cell of the tape. A process can always check whether it is 
the leftmost by comparing the value of rieader to the register id. This check will be used in 
guards later in transitions involving moving the head of TM to the left. 

Once phase 2 is completed, the configuration of the ring proceeds to represent the initial 
configuration of TM. For this, all processes other than the leader will move to the state 
($, false), i.e., representing the empty tape cell and indicating the absence of the head. The 
leader process will move to the state ($, true). On taking this transition, the register rgtate of 
all the processes are set to hold the initial state of the Turing machine. 


The simulation of the Turing machine works as follows. Consider a transition of the 
Turing machine which checks that the current state is s and the current cell contains a, 
updates the cell content to b, moves the head to the left and updates the control state to 
s'. The distributed algorithm will have a transition which moves from local state (a, true) 
to {b, false) which also (i) ensures (by a guard) that Cgtate contains the encoding of s, (ii) 
ensures (by a guard) that it is not the leftmost cell (rieader id), and (hi) sends the encoding 
of s' to the left. For this transition to take place, there are complementary transitions at the 
receive end which go from false) to (-, true) upon receiving a value from a neighbor (left 
or right) to its register rgtate- In fact, such a receive transition is enabled for all processes 
in all the states. Other transitions of the Turing machine are also implemented similarly. 
Notice that message transmissions are performed by a process only if head = true. Notice 
also that the leader process does not send to left. Also, there are no forwarding states. 


There is actually one subtlety here that arises from the fact that receptions are non- 
blocking. We have to make sure that a process is aware whether a “real” message was 
received or not. To do so, we introduce a register r±, containing a special message T. Note 
that the first preliminary phase must indeed be executed for an extended message alphabet 
that also includes the special symbol T. For incoming messages, a process will use a special 
register r\„, which initially contains T. After executing a receive action, a process will check 
whether rin r±, which makes sure that a message has indeed arrived. The subsequent 
update will then execute r-^ := r± to reset r\„. 

Finally, the specification lySjivi checks that there is no process in the state (halt, true). 
Thus, if the model-checking problem answers negatively, then there is a ring and a run which 
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encodes a valid Turing machine computation on a tape of size bigger than i^jm (which also 
simulates any smaller size tape) and still reaches the halt state: 

V^TM — [s( ]^(halt, trwe) 

This concludes the proof of Theorem □ 


B Proof of Lower bound of Theorem [lo| 


Proof. To prove the lower bound, we give a polynomial reduction from the intersection- 
emptiness problem of finite state automata. That is, given k finite-state automata Ai, ■ ■ ■, Ak 
over a finite alphabet S, where Ai = {Qi, A^, inib, F^), whether L{Ai) = 0? This problem 
is known to be PSPACE-complete. 

We will need only unidirectional rings for our reduction. We construct the distributed 
algorithm V as follows. 

The number of processes in the ring corresponds to the length of a candidate word 
accepted by all the automata Ai. Each process thus corresponds to a position in the word. 
The local state of the process remembers the letter from S at the respective position. The 
message contents will be the states of the automata. A preliminary phase sets the message 


alphabet as per Remark 15 At round i after the preliminary phase, all the processes try to 
simulate a transition of automaton Ai on the respective position. We give the details below. 

In a preliminary phase, the distributed algorithm establishes the finite message alphabet 
S = UiQi. This requires |i3| -I- 1 states, registers, and rounds. In case the ring is smaller 
than \B\, the distributed algorithm will be blocked in this phase. However, our reduction 
would still work because of two reasons. First, our specification will be true for rings smaller 
than this threshold. Second, if a word is accepted by all the automata Ai, then acceptance 
of that word can be simulated on arbitrarily large rings. This will become clear below when 
we give the actual construction. 

The register used for sending the value of a state s to the right is denoted EncOf(s). On 
receiving a value from the left, let DecOf(s) be the register against which it is compared to 
ensure that the received value corresponds to state s. 

After the preliminary phase, a process non-deterministically moves to a local state from 
the set (E U {$}) x [1]. The special symbol $ marks that a candidate word may start at the 
right of this process and end at the left of this process. The local state may also remember 
an index i from [fc], indicating that it is currently simulating Ai- For each a € T, and i < k, 
we have a transition of the form 


((a, i): right!EncOf(s'); left?r; r = DecOf(s); goto (a, i + 1)) 

if (s,a,s') G Ai. Further we have 

(($, i): right!EncOf(init); left?r ; r = DecOf(/); goto ($, i + 1)) 

if f G Fi. Notice that the symbol associated to a process does not change in any of these 
transitions. 

Thus, the number of rounds needed by the distributed algorithm is b — \B\ + m + f, 
which is polynomial in the size of the input to intersection emptiness problem of finite state 
automata. The size of the distributed algorithm V is also polynomial. 

Finally, the DataPDL®(I?) formula states that a state of the form ($,/c + 1) cannot be 
reached: 


‘fr. 


— '^rings^runs ^m ['( 


t($. A: -F 1) 
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Notice that, if the bounded model checking answers no, then there are a ring, a run, and 
a marked process m such that m eventually reaches the state ($, k This means that, on 
all states ($,i), m has received a state fi G F^. Let m' be the first process on the left of m 
which has a state of the form ($, i). Note that m' can be same as m. The word represented 
by the states of the processes between m' and m is in p|- L{Ai). Note that, even if this is 
the empty word (that is, m' is the left neighbor of m ), it must be in the intersection since 
initi G Fi for every automaton Ai- On the other hand, if the intersection is non-empty, there 
is a run that violates the specification. 

Thus, the bounded model checking of T) answers yes if, and only if, the intersection of 
the L{Ai) is empty. 

This proves the PSPACE lower bound stated in Theorem [T^ □ 


C Proof of Theorem [ll| 


We can restrict to pictures of height k = b (rather than k < b), since checking satisfiability 
for every height separately does not change the complexity. We reduce the problem to words, 
for which LCPDL satisfiability is known to be PSPACE-complete (since formulas from 
LCPDL have bounded intersection width). A picture T = (n, fc. A) is considered as the word 
T[\] ■ ■ T[n\ G A+. Thus, the columns are written horizontally rather than vertically. 

When translating an LCPDL formula over tables into an LCPDL formula over words, going 
to the left or right involves some modulo counting: ^ is translated to and —>■ is 

translated to —An additional difficulty stems from the fact that we allow automata 
as path expressions, but it is straightforward to integrate them into the construction of an 


alternating two-way automaton from 15 . 


D Proof of Lemma 


12 


Let us first introduce some notation. Let Tp = {T^ | x is a run of I?}. For a table T G A++, 
let Runs{T) = {x | x is run of V such that T^ = T}. ^ ^ ^ 

A pseudo {TZ-)run of V is like an (7?.-)run x = Cq Ci Ck, but conditions 1.-3. 

are not checked. That is, target and source states are not necessarily matching, and =- and 
<-guards are ignored. Thus, every run is a pseudo run, but not vice versa. We define 
and Pos(x) in exactly the same way as for runs. 

Given a (pseudo) run x = Co ^ Ci Cfc of I? (where Cj = (sj,..., s^, pj,..., p^)) 

and {i,j) G Pos{x)j we set xl = Pi (abusing notation). Moreover, for j > 1, x^ = ^ defines 
the corresponding j-th intermediate register assignment, which was defined in Section to 
obtain the mapping p^. Finally, we set Xi = Xi • 

To prove Lemma |12| we will need two further lemmas: 


Lemma 16. For all pseudo runs x ofT), coordinates (^,j),(^^/) G Pos{x), and registers 
r G Reg, the following hold: 

(a) ((i.j), (*',/)) G ^ (x?(*c^)=xMO ^ J = O) 

(b) ((*,j),(*',/))GlA?lr, ^ (x°(*rf)=xMr) A j = O) 

Proof. Let the pseudo 7?.-run in question be given by x = Co Ci Cfe where 

t^ = (ti,...,t^jGA". 
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To be able to perform an induction, we show a more general statement that captures 
both (a) and (b). To this aim, we define the automaton in the expected manner, i.e., 
where the only final state is (0, r). We will show, for all h € {0,1,2}, 

((bj),(*',/)) e IAIt, ^ = xim A J = 0). (1) 

Here, [2] refers to xl' xM^l refers to xj, (recall that Xi' = XiO- For j' > 1, we 
let xMd](r) refer to the value of r at position before reception. Finally, we set 

x°-[0] = x°.[i](= x°0- 

Before we come to the actual proof of (1), we define the relation 


—>x — Conf X {Zoc, upd, next, msg} x Conf 

where Conf = Pos{x) x {0,1,2} x Reg. The idea is that —captures the flow of pids in y. 
We let - 


be the least relation satisfying the following: 


loc 

• (i, j, r, 0) —(b j, r, 1) if there are no r',i' such that r'@i' ^ r@i (in step Cj_i Cj) 


r” 


upd 


{i, j, r', 2 ) if r 7 ^ r' and (r' := r) G tj, or r = r' and (r := r") ^ for all 


• (bJ,b2) -(bj + l,b0) 

• (bJ,b0) ifr@f 


r@i (in step Cj-i Cj) 


Note that {i,j,r,h) — (i', j',r',h') immediately implies Xi [^](r) = xi We will show 

that, moreover, we have 

{i,j,r,h) ■^xi'i^c',r',h') ((bj), (*',/)) G It,, ( 2 ) 

To prove this, we distinguish four cases: 

• Suppose 9 = loc. Then, we can assume h = 0 and h' = 1. We have 

(bJ,b0) ^x 1) 

r = r' A {i,j) = A -^3r,i such that r@i ^ r@i (in step Cj-i Cj) 

^ r = r' A ((bj),(*',/))eI{A.-efle,-((^^5°:')-')}?lw 
^ ((bJ),(^^/))eKv^]T, 

• Suppose 9 = upd. We can assume h = 1 and h' = 2. We distinguish two subcases. 

1. Suppose r r'. Then, we have 

(bj,bl) -^x (*':/.r',2) 

(b j) = (*',/) A (r' := r) G tj, 

^ {{^,J),{^',f))&l{r'■■=r}7jT^ 

((b j), (*',/)) G lupdatel)‘^,jT,, 

2. Suppose r = r'. Then, 


(bJ.bl) -tx (*')i'>r',2) 

(b j) = (f^J0 A (r := f) ^ C-, for all r r 

((bj),(*',/))Gl{A,^,-(r :=r-)}?lr. 


((bj), (*'>/)) G lupdatefylr^ 
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• Suppose 9 = next. We can assume h = 2 and h' = 0. We have 


{hj,r,2) Ax 

r = r' A i = i' A = j + 1 
r = r' A (/,/)) G IIIt^ 

((a j)> (*'./)) e lnextl'^^,}T^ 

We are now ready to prove (1). 

(=>): First note that ((*, j), (*^/)) G always implies j = 0, since the automaton has 

to read before it can accept at all (its initial state t is not a final state). 

Consider an (accepting) execution 

L ^ (ri, hi) ^ in, hi) = (h, r) 

of Ar, with i > 1, TTi = {^(t)}?) and tt; = {di)^lzl’,ri for all I G {2,... connecting (u, 0) 
with {i,j). That is, ((^,0), (i,j)) G [tti • ... • Trijr^. We have to show x°(fd) = X-[/i](r). 

There are positions (m, 0) = (zq, jo), (*i,ii), • ■ •, (v, j^) = (aj) G Pos(x) such that 
{{ii-i,ji-i),{ii,ji)) G for all I G [i]. By (2), we obtain 

{ii,ji,ri,hi) -Ax (^ 2 ,j 2 ,r 2 ,h 2 ) -Ax ... Ax {ii,jt,ri,hi). 

This implies Xi^I^iK’"!) = which equals Xi[^](^)- Since tti = {“'(t)}?, we also 

have (m,0 ) = (zi, ji) and, therefore, Xui^d) = Xq[^i](^i)- We conclude Xui^d) = xi[^]{f)- 

(<^=): Suppose xliid) = xi[h]{r). We will show that ((u,0), (z, j)) G IA1 t„- 

By the semantics of T>, pid Xui^d) has to be transmitted along transitions or messages. 
Thus, there are i > 1, positions (zi, ji),. •., = (a j) € Pos{x)i registers ri,... ,r£ = r, 

stages 0 — hi,... ,hi = h G {0,1, 2}, and 02, ■ ■ ■ ,9i G {loc, upd, next, msg} such that 

• (('«,0),(zi,ji)) G A(t)]T„ (therefore, (zz, 0) = (zi,ji)), and 

• (z;_i, ji_i,n_i,/zi_i) Ax {ii,ji,ri,hi) for all ^ G {2,... ,£}. 

By (2), we have 

((a-1 , ji-i), (a, j/)) G I(6 '/)AiA'Ax 
for alH G {2,..., £}. We deduce 

((m,0),(z, j)) = {{u,0),{ii,ji)) G = IA1t„ ■ 

This concludes the proof of Lemma □ 

Lemma 17. For all T = (n,k,X) G Tti o-nd i,i' G [rz], we have 
((z,0), (z',0)) G |7r<]r \/x ^ Runs^T) : x°{id) < x°{id). 

Proof. There are two directions to show. 

(=>): Suppose ((z, 0), (z', 0)) G |7r<]'r. Then, there are l>\ and i = in,... ,ii = i' such that 
((zz_i,o),(z„o))Gi ^ A-A<A?-(A)-At 

r.,r' GReg 
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for all I € [P\. Let % € Runs{T). By Lemma 16 we have for all I € 

We deduce (fd). 


(<t=): We denote the processes in question by u and u'. Suppose that {{u, 0), {u', 0)) ^ |7I'<]t- 
We are going to show that there is x G Runs{T) such that > x°/(*d). Let ^ = {(i, i') \ 

{{i, 0), {i', 0)) G | 7 r<]r}. In particular, u ^ u'. By direction (^), we have that ^ is a (strict) 
partial order. 

Let TZ = {n : pi,... ,pn) be any ring such that (i) Pu > Pu' and (ii) for all i, i' G [n], i ^ i' 
implies pi < pii. Since ^ is a strict partial order and u 7 ^ u', such a ring must exist. Now, 
note that there is a unique pseudo TZ-iim 

x = ...UCk 


(where = (t{,... ) G A") such that = T. We will show that x is indeed also an 

7^-run, which concludes the proof. 

Let (i,j) G Pos{T) and r,r' G Reg such that (r < r') G We have to show that 
X^(r) < xli’’"')- By Lemma 
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there are o, o' G [n] such that 

• xl{id) = xi(r) and Xo'(^d) = Xi(r'), and 

• (( 0 , 0 ), (qj)) G {AUt^ and ((o',0), (i, j)) G 
The latter implies 


((o, 0), (o', 0)) G {r </}? . . 

In particular, ((o, 0), (o', 0)) G |7r<]T,^. We deduce o ^ o'. This implies Xo(*'^) < Xo'(*'^)- 
conclude that xl{f) < xl{A)- 

Finally, let (i,j) G Pos{T) and r, r' G Reg such that (r = r') G tl- Since Runs{T) ^ 0, 
there is a run that validates guard r = r' at coordinate By Lemma 16 this is actually 

true for all pseudo runs of T. We deduce xl (^) = xi (A). 

Note that run condition 1 . is satisfied, since T G Tv- This concludes the proof. □ 


We will now proceed to the proof of Lemma 

Proof of Lemma 1121 Recall that we have to show L('ipv) = Tv, where ipv = A '0< A 'i/'coi- 

(C): Let T = (n, k, A) G L{tpv)- We will show T G Tv hy constructing a run x of I? such 
that = T. 

Again, let ^ = {(i, i') \ ((i, 0), (i', 0)) G l7r<]T}. As T, (1, 0) h V’< = ^(-t*)loop(7r<), we 
have that ^ is a strict partial order. Choose any ring TZ= (n : pi,... ,pn) such that, for all 
i,i' G [n], i ^ i' implies pi < pi'. There is a unique pseudo 7?.-run 

A A P 
X = Co^CiU ...UCk 


of T) such that T^ = T. 




Cj where. 


this time, all 


Let j G [k]. We have to show Cj-i 
run conditions are checked. Condition 4. of the definition of is satisfied thanks to the 
definition of a pseudo run. Condition 1. is ensured by T G £('0coi)- Let i G [n] and suppose 


(r = r') G tl- We have T, {i,j) ^ loop((Al);)“^ • Al,). By Lemma 16 we have xl{r) = xl{r'). 
Finally, suppose (r < r') G We proceed like in the reverse direction of the proof of 
to show that xl{r) < Xi(A)- 


Lemma 
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Altogether, it follows that x is a run. 


(A): Let T = (n, k, A) G A++ such that T ^ L{'ipv)- To show T ^ Tv, we distinguish three 
(non-disjoint) cases. 
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• Suppose T ^ -L(^/’coi)- Obviously, this implies T ^Td- 

• Suppose T ^ ('*/'=)• Recall that 

= [H+in A (^ = ^' ^ioop((^i)-i-^i,)) 

r^r' ^Reg 


Thus, there are a coordinate (j,j) G [n] x [fc]o and registers ri,r 2 G Reg such that we 
have (ri = r 2 ) G T[i,j] and T,{i,j) ^ loop((xl^J“^ • Al^). Towards a contradiction, 
suppose there is x G Runs{T). By Lemma [Tg] there are (unique) Ji ,*2 G [n] such 
that x\{id) = X*(o) and = xl{r 2 ), as well as ((ii,0), (i, j)) G IA^Jt and 

(*2,0),(i,j)) G IAIJt- Since T,{i,j) ^ loop((xl);J-i • A^J, we have that ii ^ 12 - We 
deduce xK^i) ^ Xi(''’ 2 )) which contradicts (ri = r 2 ) G T[i,j]- Altogether, we obtain 
T^Td- 


Suppose T ^ L(V^<) where V'< = ^(—t*)loop(7r<). Then, there is i G [n] such that 
T, {i, 0) 1= loop(7r<). By Lemma 17 we have Xii^d) < Xii^d) for all runs x € Runs{T). 
Thus, RunsiT) = 0 and, therefore, T ^ Tv- 


This concludes the proof of Lemma [T^ 


□ 


Proof of Lemma 
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We show a more general statement. First, call a local DataPDL® formula ip good if it does 
not contain any guard of the form < or <. Recall that we set Tv = {T^ | x is a run of V} 
and, for a table T G A++, Runs{T) = {x | x is run of V such that T^ = T}. 

We will simultaneously show the following statements: 


• For all local DataPDL®(I?) formulas ip: 

(a) for AIT £ Tv and {i,j) G Pos{T), 


T, {i,j) h f X, 1. ihj) h ‘P for all x G Runs{T). 

• For all good local DataPDL®(I?) formulas ip: 

(b) for all runs x oi T and all {i,j) G Pos{x), 

TxA'>‘A)\=P xA,{hj)\=P- 

• For all DataPDL®(I?) path formulas tt: 

(c) for all runs x of T>, we have \^\t^ = Mx,i- 

We first consider local formulas. We proceed by induction on the structure of ip. Note that 
(b) is a stronger statement: when we show that (b) holds for a formula, then (a) holds for 
that formula, too. 


• Suppose ip = m. It is enough to show (b). Recall that m = ^(<—). We have T^, (i, j) \= 

*=1 xA,ihj)\=’m. 


• Suppose ip = s G S. Again, it is enough to show (b). Recall that s = goto s. By 
the definition of runs, the semantics of DataPDL®, and T^, we have that T^, {i,j) |= 
goto s xA,{hj) h s- 
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• Consider Then, (/? is a good formula. Recall that = -^(p. We have {i,j) |= 

(by LH.(b)) X, 1, (ci) ^ X,^,{iJ)\=^^- 


• Suppose (fi = (ifi A ip 2 )- 

(a) We have 

T,{i,j) 

T, {i,j) h m and T, (i, j) ^ ^ 

(x, 1, (bi) \= Pi for all X G Runs(T)) and 
(x> (b j) h ‘/?2 for all X G Runs{T)) 

X, (b j) \=Pi^P 2 for all X G Runs{T) 

(b) Suppose Pi and p 2 are good. We have 


I.H.(b) 


Txi (bj) h ^ A ^ 

Tx, ihj) h ^ and T^, (i,j) h ^ 

X, 1, (b j) h Pi and X, 1, (bj) h P 2 
X, l,(bj) '^Pif\P2 


• Consider p = {pi =J> ip 2 )- Then, ipi is good, 
(a) There are two directions to show: 

(=J>): We have 


T, (i,j) h ^ ^ ^ 

^ T, (i, j) ^ ^ or T, [i, j) ^ ^ 

LHf^’(a) (x, 1, (b j) ^ Pi for all X G Runs{T)) or 
(X) 1, (b j) h P 2 for all X G Runs{T)) 

X. 1> (b j) \=Pi^ P 2 for all X G Runs{T) 

(<;=): We have 


T, {i,j) V=Pi^ P2 


I.H.(b),(a) 


T, {i,j) h Pi and T, (z, j) ^ (p 2 

(X) 1) ihj) H Pi for all X G Runs{T)) and 

(X) 1; ihj) P2 for some x G Runs{T)) 

X, 1, (b j) Pi^ P2 for some x G Runs{T) 


(b) Here, we require that both pi and ip 2 are good. Then, 


I.H.(b) 


Txi (b j) h ^ ^ ^ 

TxAhj) ^ ^ or T^,{i,j) h ^ 

X, 1, (b i) ^ Pi or X, 1, (b j) h P 2 
X, l,(bj) \=Pi^ P2 


• Consider formula ['n:]p. Let x = {i,j). For a set H C Pos{T) x Pos{T), let A{x) = {x' G 
Pos{T) I {x, x') G A}. 
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(a) We have 


r,a; 1 = [tt]^ 

^x'^fKlrix) ■.T,x'ip 

\Jx' G |^lT(a:) : Vx G Runs{T) : x, 1, x' |= 

Vx G Runs{T) : Vx' G |^]t^(x) : xA^x' \= p 
Vx G Runs{T) : Vx' G |7r];^,i(x) : x, l,a;' h V 
Vx G Runs{T) : X, l,a; h 


(b) Suppose is good. We have 


I ;H.()3 ) 

I.H.(c) 


r^,x 1= [Ap 

Vx' G |^]t^(x) : T^,x' 1= p 
Vx' G [^It^(x) : X, 1,2;' h V? 
Vx' G l7r]x,i(x) : X, l,a:' h V 

X, 1 , 2 ; h Mv 


• Suppose p = ( 7 ri)ri < {'!T 2 )r 2 - Then, tti and 7 r 2 are both unambiguous. By I.H.(c), tti 
and 7 r 2 are unambiguous (wrt. symbolic runs). We show (a): 


T, {i,j) h < A 2 )r 2 

T, {i,j) N loop( 7 ri • • ( 7 r< + e) • ■ (^2)“^) 

there are coordinates (ii,ii), (*2,i2), (*'i, 0 ), (^2,0) G Pos{T) such that: 

1 - ((*,i), (*i,ii)) G I^iIt and ((i,i), (^2,72)) G |7?'2 ]t 

2 . ((i'i, 0 ),(ii,ji)) G lArJr and ((^2, 0 ), (12, j2)) G 

3. ((i'1,0), (i2,0)) G | 7 r<]T or i[ = i'2 

■^=h- there exist coordinates (ii,ii), (*2,^2), (*1,0), (*2,0) G Pos(T) such that: 

1 . Vx G Runs{T) : ((*, j), (*i, Ji)) G and ((*, j), (*2,^2)) G [*r2lx,i 

2 . Vx G Runs{T) : x\{id) = Xi)(*'i) and x\{id) = xfA'^2) 

3. (Vx G RunsiT) : x°^(*V) < x\{.id)) or i'l = *(, 

there exist coordinates (*1,^1), (*2,^2), (*1,0), (*2,0) G Pos[T) such that: 

1 . Vx G Runs{T) : ((*, j), (*i, Ji)) G [ttiIx.i and ((*, j), (*2,^2)) G [*r2lx,i 

2 . Vx G Runs{T) : x\iid) = Xi((»'i) and x\i.id) = xg(*-2) 

3. Vx G Runs{T) : x\{id) < x\{id) or x°, (*d) = x“-(*V) 

for all X G Runs{T), there are (*i, ji), (*2,72), (*'i, 0 ), (*2,0) G Pos{T) such that: 
1 - ((bj), (*i,ii)) G [ttiIx.i and ((*, j), (*2,^2)) G [7r2lx,i 

2 . x\iid) = Xi)(ri) and x\iid) = xg(*-2) 

3 . x\ (id) < x\ (id) 
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Vx e Runs{T) : x, 1, {i,j) \= {7ri)ri < {-K 2 )r 2 


(*) 

(**) 


by I.H.(c), and Lemmas 
by I.H.(c), Lemmas 


16 


16 


and 


17 


and ^ and the fact that tti and n2 are unambiguous, 


the coordinates are uniquely determined by T, (i, j), and (fi 


• The case (p = ( 7 ri)ri < {'^ 2)^2 is simpler than the previous one. We just have to adapt 3. 
accordingly. 


• Consider the case p = ((7ri)ri ^ {n 2 )r 2 ). We show (b): 

Tx, ihj) \= ( 7 i-i)ri 7^ {n 2 }r 2 

Tx, ihj) 1= loop( 7 ri • + -^+) • Ar^ ■ (i?2)"^) 

there are coordinates {i2,j2), (*i,0), (12,6) G Pos{x) such that: 

1- ((bj), (*i,ii)) e and («2,i2)) £ It^2]t^ 

2 . ((ij, 0 ),(ii,ji)) G {Arjr^ and ((^2, 0 ), (12, jh)) G 

3. i'l 7 ^ i '2 

(by LH.(c) and Lemma [I^ 

there are coordinates (ii, ji), (^2,^2), (*i, 0 ), (12,6) G Pos{x) such that: 

1 - ((bj), (*i,ii)) e [ttiIx,! and ((i, j), (12,^2)) G [7r2lx,i 

2. X\{id) = X^((ri) and x^(id) = xg(r2) 

3. ij 7^ i'2 

X, 1 , (hi) N ( 7 ri)ri 7^ ( 7 r 2 )r 2 

• The case <p = ((7ri)ri = {'K 2 )f 2 ') is almost identical. In 3., we just replace ^ by =. 


• Consider the path formula tt = {p}l■ Note that p is good. We show (c): 

= {(a;,a:) I a: G Pos(x) : rx,a; 1= 

IHJC {(x,x)\xe Pos{x) : X, 1, a; h 7 >} 

= I{7^}?lx.i 

• Consider tt = — 7 . Suppose the coordinate set of x is [n] x [fc]o. We show (c): 

= {((bi), (* + 1 , j)) I (i, j) G [n - 1] X [/c]o} U {((n, j)) | j G [fc]o} 

= Hx.i 


• The regular operations as well as f and j, are obvious, and the case is symmetric to — 

F Proof of Lemma [l^ 

Let us prove (a). 
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(= 


^). SuppOSB 2? ^ $ — '^rings^runs^n 


ip. Let T S L{ipx>)- By Lemma 12, there is a run x of 


V such that = T. Moreover, since V \= all runs x of I? satisfy X; 1; (Ij 0) \= This 


applies, in particular, to all runs x such that = T. By Lemma 13 we have T, (1,0) ^ (p. 
We conclude L{tpD A ^(p) = 0. 

(<t=): Suppose V ^ '^rings^runs^m'P- Then, there are a ring 7?. = (n an 7?.-run x of V, and 
a process m G [n] such that Xi ’ti, (m, 0) ^ ip. Since ip cannot distinguish isomorphic rings, we 
can shift TZ until m “arrives” on position 1. Thus, there are TV = {n '....) and an 7?.'-run x' 
of T) such that x^ 1, (1, 0) ^ p. By Lemma 13 T^', (1,0) ^ p and, therefore, T^i, (1, 0) |= ^p. 


Due to Lemma [l^ we also have T^', (1, 0) \= ipv- we conclude L{ipv A -^p) ^ 


Part (b) is shown in exactly the same way, restricting the height of a table and length of 
a run by the given bound b. 
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